Defeating Apple’s Touch ID: It’s easier than you may think

The hack using lifted fingerprints is easy; here's how you can make it harder.

This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut.

Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a laser printer also seemed to help.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out.

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try."

As Ars pointed out last week, there's little we can do to keep our fingerprints and other physical characteristics private. They leak every time we touch a door knob, wine glass, or ATM. And that calls into question whether Touch ID is a truly "secure" way to unlock phones, as Apple's own press release announcing the new feature claimed. That's not to say there aren't things people can do to limit the leakage, though.

Graham is one of the organizers behind istouchidhackedyet, a bounty program that pledged cash bounties to the first person who could override the new feature, which allows people to unlock their iPhones using one or more fingerprints. He told Ars that he's still waiting to see a detailed video that documents the hack from start to finish, but at this point he's satisfied that Starbug has met the requirements for the cash prize. He estimated the amount at about $10,000, after at least one of the people who pledged a bounty reneged on the promise.

As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple's decision not to provide the option is a missed opportunity. Given Apple's long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.

For those who continue to use Touch ID, Graham suggested a simple step for minimizing the success of Starbug's attack: use only pinky or ring fingers to unlock your device. He said most prints left on glasses, iPhone screens, and other surfaces are from thumbs and index fingers. Enrolling a pinky or ring finger won't completely foreclose attacks like the one developed by Starbug, but it will require an attacker to work much harder to succeed.

Promoted Comments

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

On the other hand, they can unlock your phone using TouchID without ever looking over your shoulder or figuring out your password. Your fingerprint is likely all over the screen, so if they want in, they just swipe your device immediately and go to work.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

Apple fudged the marketing and implementation of the fingerprint reader. I think it's fair to complain at this point, especially with solid evidence in hand of what everyone who knew anything about fingerprint scanning tech already suspected: that for all they dressed it up, this was not substantially better than any of the other easily beaten consumer grade fingerprint tech.

If they hadn't sold it as some amazing and perfectly secure thing (Apple really played it up quite a bit), there would have simply been statements of "well of course it's hackable, but it's better than swipe to unlock at least, and the newer tech at least makes it more difficult to hack than just using a piece of tape" and it would have been left at that.

Apple shot their own foot on this one, honestly. They were practically ASKING for someone to demonstrate a hack and in turn to have a big deal made of it. Especially by not having 2 factor as an always available option (or even via time-out as suggested above).

If I have sufficient access to take a high res picture of someone's fingerprint and duplicate it, then I have sufficient access to record that person entering their PIN with a buttoncam, camera in the frame of my eyeglasses, or even just holding up my camera and seemingly recording a video of a party while I'm actually capturing someone unlocking their phone.

Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.

So you think that taking a used glass at a bar is at the same level of difficulty as actively recording video of a person's fingers, at the right angle, while they unlock their phone? Cameras can be used to record pins at an ATM bu its harder to use one when the target is mobile, and typing on a handheld screen. Fingerprints are everywhere - it's one of the first things forensics investigators look for at a crime scene.

Couldn't this go both ways. couldn't you create a fake fingerprint this same way and put it on your finger only to unlock the phone. That would sound pretty secure to me. Now they would have to pickpocket me and take my phone. If you are looking for hard core security you should be thinking outside of the box just like the hackers. This idea is not about making your phone fort knox. It's about making your phone secure enough while it's sitting on the table with your wifes birthday gifts web page open and you had to make an emergency bathroom break.

You people are obviously doing things much more interesting or more legally questionable than I am if you are so worried about your data that you feel the need for a unbreakable password. Also you must be a little bit dumb to have all of your most secret data in plain text and accessible with only the password that unlocks your phone.

One thing that everyone is forgetting here is that the iPhone 5S screen is coated with the same oleophobic material that all recent iPhones have. While the coating does wear off eventually (the 4S that I replaced was horrible for fingerprints after the first year of use), I have been unable to deliberately leave a fingerprint on my 5S screen despite multiple attempts. Granted, it's not a perfect solution, but it's not as bad as the image from the article would imply.

The article is poor for several reasons including about the effort it takes to get a good, clear fingerprint from a phone, and the time it takes to create an accurate latex copy of the print which can fool the sensor. The thief only has 48 hours to fool the sensor and then only the password can unlock the phone.

* It should be remembered that the CCC in their video did not show the full time of the stunt from where the print came from, was the iPhone being used as a regular phone, and how much time it took to make the latex fingerprint copy. - Now if Ars wants to do a test on the iPhone 5S fingerprint sensor, to produce transparent/timed results, then I'd welcome it.

* Instead Dan Goodwin counters the effort and time problem of making accurate latex fingerprints by posting this unuseful speculation.

Quote:

Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—

In reading this a lack of logic comes to mind. - If a kid, who is a criminal, has access to my home (I assume while I'm away), then getting my fingerprints and making latex copies is not the "easy, easy, easy" thing to do. - I have a friend who left his two teenage daughters home while he went on a trip with his wife. He returned to a house that had been looted of all electronics (because of a party that got out of hand).- Another friend of mine was on his honeymoon and he returned to a house that had all his wedding presents stolen. He had people staying over night but they left the day he returned and that's when the theft took place.

The obvious thing I'm bringing up here is the possibility of rampant stealing at a person's home. And it not only can involve personal belongings but can include the stealing of mail (account statements), check books, the finding of Social Security numbers and the looting of bank/brokerage accounts.

If a criminal has access to my house for months, then a latex copy of my fingerprints is the least of my worries.

* Of course I realize that this is an article about Apple and so, I expect far fetched criticism.

Considering the new device had been out for under 48 hours when the exploit was published ... and they obviously needed time to actually get one, bring it home and work with it a bit ... isn't the question of how long this takes pretty much moot? The initial unskilled proof-of-concept was unequivocally completed and published within the timeout period from the device's release. The "it's too slow to really work" ship has already sailed. With practice and refinement, it only gets faster.

I'm not sure why you think it takes months of access for someone to squirt a bit of graphite on any number of surfaces and snap a photo with their iPhone (which is certainly hi-res enough for the job) when a mere overnight visit provided more than enough opportunity to clean out an entire wedding's worth of bulky gifts; which seems a much more difficult exploit in almost every respect. It may be the least of your worries, but if you are in the process of being completely robbed, why would you want to top it off by creating a situation where a digital copy of your fingerprints has been elevated in value to the point of being worthwhile to potentially steal also?

And while we're playing the logic game, it bears mentioning that kids hack devices for all sorts of reasons and often don't view themselves as criminals per-se ... one who's the sort to pwn your iPhone is probably not the same sort who would flat-out steal and pawn it. Simply put, the existence of lions does not mitigate the dangers posed by the tigers and bears. Oh my.

155 Reader Comments

I guess in retrospect, fingerprints aren't the best idea for biometrics on a phone since the prints themselves are left on the device with typical use. So basically, steal the phone and you have the print. I wonder if they could have you image your knuckles or something like that instead.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued the hack has little significance in the real world.

People saying this also have to remember that this technique was developed less than 48 hours after they got their hands on the device -- I'm sure there will be easier hacks out there soon enough.

Quote:

As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple's decision not to provide the option is a missed opportunity.

Hopefully an Android handset maker implements a Touch ID equivalent, doesn't get sued by Apple, and a custom lock screen can be added into a custom ROM -- cyanogenmod et al. -- to do just this.

I guess in retrospect, fingerprints aren't the best idea for biometrics on a phone since the prints themselves are left on the device with typical use. So basically, steal the phone and you have the print. I wonder if they could have you image your knuckles or something like that instead.

There isn't even any retrospect. This is obvious. It is like the picture password on Win8 devices. It doesn't make sense because once you have the device you have the print.

The author's suggestion is a very good one as most people won't use anything other than a thumb or a forefinger to press the home button aside from unlocking it.

The long and the short of it really is to not lose control of your device. Physical compromise is almost a guarantee that your information will be disclosed.

Another tip is to validate prints only from the left fingers if you're right-handed or vice versa. If you always open doors or drink using the right hand, you'll hardly ever donate your usable print info to anyone.

How about using only the tip of your thumb? Also not frequently left on a beer glass?For me, I think the convenience still outweighs the risks (assuming I can get my claws on an actual 5s).

If you touch the screen you are going to leave a print, doesn't matter if its the fingertip, thumb tip, toe print, nose print, ear print, genital print....

They are lifting what ever the print is from the screen, duplicating that print, then using it to get into the phone. So if, for example, someone steals the phone and is able to lift and duplicate the print they will still be able to get into the phone.

It amazes me that Touch ID was not implemented along side of a two factor system on the debut. Apple has a very well thought out UI with a lot of features that have stood the test of time and considering their market penetration, having thoughtful security should be at the top of their priorities now.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try."

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

On the other hand, they can unlock your phone using TouchID without ever looking over your shoulder or figuring out your password. Your fingerprint is likely all over the screen, so if they want in, they just swipe your device immediately and go to work.

God, recommending using an inconvenient finger for unlocking is a really ugly workaround...

What I would like Apple to do: Add a configurable timeout for TouchID after which it requires a PIN:

Immediately5 minutes15 minutes1 hour2 hours6 hours

Make it default to 1 hour.

This would mean that

a) whatever you set it to you'd need to type your PIN at least once a day (in the morning, if you sleep more than 6 hours) which at least means you will remember it. The current timeout of 48 hours (or a reboot of the phone) basically means that most people will have forgotten their PIN when they need it.

b) the default of one hour would mean that a thief would need to be really fast with nicking your device and faking a finger.

c) if you REALLY need security set the timeout to "Immediately" and presto, you have two-factor authentication.

If Apple would have done that right away nobody would have to complain about all of this.

TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).

In all honesty, the notion that this was going to be particularly secure never should have been forwarded - it's a secondary convenience feature that keeps the honest people out of your phone (much like the function the door locks on most private dwelling do for its security). One can hope that Apple put enough thought into the design that the fingerprints left on the button time after time don't trigger it...

Purpose-built biometric scanners costing more than the (unsubsidised) price of this phone can be defeated with access to prints, irises, blood vessel patterns on the back of your hand, etc. Even those that purport to detect live fingers, hands, whatnot have been defeated. There's no magic bullet factor of security - biometrics would ideally simply become part of the authentication. I've often heard it said that the ideal authentication scheme consists of something you know, something you have, and something you are - ie a password, a token, and a biometric.

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

I took Apple's statement to mean it unlocks easier over time since it's seen more of your finger with each use. I think the hack would get easier over time, not harder.

If I have sufficient access to take a high res picture of someone's fingerprint and duplicate it, then I have sufficient access to record that person entering their PIN with a buttoncam, camera in the frame of my eyeglasses, or even just holding up my camera and seemingly recording a video of a party while I'm actually capturing someone unlocking their phone.

Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.

Given Apple's long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.

I bet this will be available on Cydia shortly after the jailbreak for the 5s is discovered. Hopefully Apple can be brought around to adding it to the phone as well, it seems like it should be pretty easy to implement.

I amazes me that a half baked, incomplete video is taken at face value and everything that Apple and Authentec has published is trashed as a lie.

Granted, someone will likely find a workable hack around the fingerprint reader in the iPhone 5S, but I simply don't believe that what these guys in Germany did (just a more complicated form of fingerprint lifting) is all it takes to circumvent the sub epidemal, 3D capacitive topology mapping technology of the Authentec sensor.

This type of hack would surely have been among the FIRST things that Apple would have attempted as part of their technical due diligence prior to purchasing Authentec.

Until a COMPLETE video, with absolute timeline integrity, starting with an iPhone devoid of ALL fingerprint training, that documents the ENTIRE process AND the process is replicated by numerous others using the same process, this is nothing more than an attempt to claim a prize, NOT defeat Touch ID.

Apple is NOT infallible, but they are far from stupid and they have hundreds of millions invested in this technology as well as their reputation on the line, so I call BS on this purported hack until it is absolutely proven.

I think I can safely predict a new Apple product on the horizon: the iThumb prophylactic. You use it when you don't want to leave your thumbprint around. You use the handy patented flip clip to quickly plant your print on the home button.

I'm curious as to the source for the claim that "it seems unlikely that this option will ever be available".

Yes, I can tell that this option isn't there now, but I, for one, think it'll be in an update to iOS 7 shortly: ability to require both fingerprint and password. It seems like low-hanging fruit.

Passwords and fingerprints are equivalent: if you share them with someone then they can use them. Sure, fingerprints are "easy" to share (accidentally), so it seems obvious that the system has a built-in flaw. As many have said, it's almost impossible to keep your retina or fingerprint truly "secret" (when I got my green card, they took all my fingerprints, so the government could easily use this method to access my phone (if I had a 5s)).

I don't understand the "surprise" here. Lifting fingerprints and generating a "fake" finger is not new, why is anyone surprised that it works?

Author, the sky is not falling. The sort of hack over the weekend required physical access to the phone and the phone's fingerprint-registered owner himself. He was complicit. That's a bit much. If I lose my phone at Disneyland and return home 1,000 away, will this hack work?

TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).

I think for the average Joe TouchID is good enough. My brother has a passcode on his phone, because he doesn't trust that the people he hangs out with aren't going to grab his phone and post fake messages to Facebook, etc. Nobody is going to go through the trouble lifting prints and generating a fake finger so they can get onto a friend's phone to snoop around or pull pranks.

The only people who might have a reason to be worried would be the sort of people in occupations where they have lots of confidential information and contacts stored on the phone, which I suspect is actually the minority of iPhone 5s owners.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

Apple fudged the marketing and implementation of the fingerprint reader. I think it's fair to complain at this point, especially with solid evidence in hand of what everyone who knew anything about fingerprint scanning tech already suspected: that for all they dressed it up, this was not substantially better than any of the other easily beaten consumer grade fingerprint tech.

If they hadn't sold it as some amazing and perfectly secure thing (Apple really played it up quite a bit), there would have simply been statements of "well of course it's hackable, but it's better than swipe to unlock at least, and the newer tech at least makes it more difficult to hack than just using a piece of tape" and it would have been left at that.

Apple shot their own foot on this one, honestly. They were practically ASKING for someone to demonstrate a hack and in turn to have a big deal made of it. Especially by not having 2 factor as an always available option (or even via time-out as suggested above).

There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all.

A false sense of security may cause people to be more lax about their security, which may make things worse.

More pertinently, I think, why would someone too lazy to use a PIN bother with swiping their fingers?

The bald fact of the matter is that a lot of people just don't get why we should maximize security. One of my coworkers straight up said "If someone wants in my phone, they'll just get in anyway"; I've seen that basic sentiment from pretty much every walk of life, including geeks who have a better than average understanding of the situation. It rather baffles me.

Also, it annoys me; I know at least one person has had their device stolen, and I ended up on mailing lists and shit because I was on the contact list. Now it's stopped being their problem, and become mine.

The author does not give Apple sufficient credit when implying they would not be interested in making two-factor authentication an option. They did with iCloud. IF this proves to be a problem with people getting hacked, you can bet they will implement it. It would be a minor tweak to the Touch ID API.

Lots of people have pointed out the critically flawed video to begin with. The media for the fingerprint is transparent. How do we know it wasn't actually reading through the media and getting an actual fingerprint of the hacker? I think more scrutiny is justified before declaring this a "decisive" defeat of Touch ID.

A lot of this hand-wringing and hysterical headline writing is a bit premature and will only become a legitimate concern if someone comes up with a way to hack a phone in less time than a person takes to figure their phone is missing and wiping it. And anyone who can wipe it using the tools in iCloud who has a tiny bit of savvy is going to have already set up the two-factor security setup for unbricking a bricked phone in this process.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued the hack has little significance in the real world.

People saying this also have to remember that this technique was developed less than 48 hours after they got their hands on the device -- I'm sure there will be easier hacks out there soon enough.

Its inaccurate to imply this hack method was developed in 48 hours, this approach to spoofing fingerprint readers has been around a long time. It just took 48 hours for someone to make a video of using it on an iPhone 5S.

I want to see this "hack" verified by another party. If successful then it means that capacitive sensors differ from optical sensors in that they simply require a 3D replication of the fingerprint. However, its hard to imagine that you could properly create a 3D replica of a fingerprint from a 2D smudge left on glass unless the sensor is not sensitive enough to the microscopic distance between hills and valleys on your fingerprints.

The other thing I want to know is "how long" it takes to produce the 3D replica of the fingerprint. If it takes more than 48 hours, then Touch ID's automatic deactivation will prevent access without a password after 48 hours. If Apple let me control how long that timeout was then I would feel even better. For me, I would set it closer to 12 hours.

Also, keep in mind that there is still Find My iPhone on the device. Certainly, a thief could steal the device but if they shut it down to prevent remote wiping then rebooting would cause Touch ID to require a password again. So unless you are dumb enough to enable Control Center on lock screen and give the thief access to Airplane Mode, then the thief had better bring something to shield the device from radio signals while they are working on removing your fingerprints from it.

It certainly seems like a whole lot of hoops to go through and not nearly as easy as Graham implies in this article. It also seems like a couple of steps like allowing users to configure their Touch ID timeout or even requiring a simple "second factor" like proximity and connection to another device like an iWatch would easily take Touch ID to the level it needs to be for corporate security.

"Having a passcode is a mandatory Touch ID requirement. You can’t choose to only use Touch ID to unlock your device. In the event that your fingerprint isn’t recognized, you can always manually type in your passcode."

"If you’ve restarted your phone, you need to manually type in your passcode once before you can use Touch ID. If you haven’t unlocked your phone in 48 hours, you’ll need to supply your passcode before Touch ID is an option. Repeated failed attempts (5) to access your 5s via Touch ID will force you to enter a passcode as well."